Palo Alto User-ID and Terminal Server Agent Certificates

Palo Alto User-ID and Terminal Server Agent Certificates
Palo Alto User-ID and Terminal Server Agent Certificates

On November 18th, 2024, the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with a Palo Alto firewall will expire, causing all communication to fail.

Palo Alto Networks has made new versions of the User-ID and TS agents with updated certificates that will expire on January 1st, 2032.

Before upgrading the User-ID or TS agent, you must upgrade your Palo Alto firewall to a version that supports the updated User-ID and TS agent certificate. Check the Palo Alto advisory here to determine which PAN-OS version you need.

If you want to know how to upgrade a Palo Alto firewall using CLI my blog post Upgrade Palo Alto HA Pair (Active/Passive) with CLI covers the entire process. If you want to upgrade your Palo Alto firewall using the GUI, my blog post, Upgrade Palo Alto Firewall HA Pair (Active/Passive), covers the entire process.

Once you’ve upgraded your Palo Alto firewall, you can upgrade the User-ID and TS agents to the new version.

My blog post, Palo Alto User-ID Agent Upgrade, details the entire upgrade process for the User-ID agent. My blog post, Palo Alto Terminal Server Agent Upgrade, details the upgrade process for the Terminal Server agent.

After I upgraded my User-ID and TS agents, I wanted to validate that everything was using the new certificates before the expiry deadline. I couldn’t find a straightforward way to check. However, I figured out a way.

In this post, I will detail step-by-step how to check the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with PAN-OS.

The Process

  • Connect to the system that has the Palo Alto User-ID or TS agent installed and browse to the installation directory.

User-ID is typically installed to C:\Program Files (x86)\Palo Alto Networks\User-ID Agent

TS Agent is typically installed to C:\Program Files\Palo Alto Networks\Terminal Server Agent

  • Open the ca-cert.pem file with notepad.
  • Copy the certificate to a certificate decoder.

I like to use CyberChef. Here’s the recipe I used.

When you paste the certificate, you should get an output like this.

CyberChef output of the ca-cert.pem file with the new expiry date

If the Not After date says 01/01/2032, you have already upgraded and are safe until 2032.

If the Not After date says 18/11/2024, you must upgrade your Palo Alto User-ID or TS Agent to get the new certificate.

CyberChef output of the ca-cert.pem file with the old expiry date.

That’s all it takes to check the certificate expiry date on the Palo Alto User-ID agent or the Palo Alto Terminal Server agent.

4 responses to “Palo Alto User-ID and Terminal Server Agent Certificates

Zurattor

Hello,

I have 10.2-h4 do and I don’t have any USER ID agent only local users as administrators, do I need to upgrade palo alto version?

Daniel Keer

If you don’t use User-ID then you don’t need to upgrade to address the User-ID certificate expiry. However newer versions of other PAN-OS address other issues and you may want to upgrade to fix those issues. If you aren’t currently running a preferred release of PAN-OS I’d personally recommend looking into upgrading to a preferred release.

Danilo

Hi , thanks por your explication , but is possible validate the information for certificated under de Palo alto via cli post upgrade Firewall and Agent id ?

Thanks

Daniel Keer

Hello,

I believe there is a way to validate the certificates using CLI using the Palo Alto User ID check https://github.com/PaloAltoNetworks/userid-check I haven’t tried that method.

Leave a comment

Your email address will not be published. Required fields are marked *